[PATCH v2 2/5] security: mark weaker passwords hashing algorithms insecure
Ahmad Fatoum
a.fatoum at pengutronix.de
Thu Aug 7 01:19:39 PDT 2025
From: Ahmad Fatoum <a.fatoum at barebox.org>
It's well known that MD5 and SHA1 aren't suitable password hashing
algorithms. Let's alert users to that fact by selecting
HAS_INSECURE_DEFAULTS.
Signed-off-by: Ahmad Fatoum <a.fatoum at barebox.org>
---
v1 -> v2:
- unchanged
---
security/Kconfig | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/security/Kconfig b/security/Kconfig
index 95c062201acf..b9447e73fc6f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -43,10 +43,21 @@ choice
config PASSWD_SUM_MD5
bool "MD5"
select DIGEST_MD5_GENERIC
+ select HAS_INSECURE_DEFAULTS
+ help
+ MD5 had been widely used historically as a cryptographic hash function,
+ but has been found to suffer from extensive vulnerabilities.
+ Use of MD5 to hash passwords is strongly discouraged.
config PASSWD_SUM_SHA1
bool "SHA1"
select DIGEST_SHA1_GENERIC
+ select HAS_INSECURE_DEFAULTS
+ help
+ SHA1 had been widely used historically as a cryptographic hash function,
+ but has since been cryptographically broken.
+ SHA-1 was designed for speed and thus use as password hash is strongly
+ discouraged as it's easier for an attacker to brute force.
config PASSWD_SUM_SHA256
bool "SHA256"
--
2.39.5
More information about the barebox
mailing list